Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Vulnerabilidad en Discourse (CVE-2023-23616)

Gravedad CVSS v3.1:
MEDIA
Tipo:
CWE-400 Consumo de recursos no controlado (Agotamiento de recursos)
Fecha de publicación:
28/01/2023
Última modificación:
08/02/2023

Descripción

*** Pendiente de traducción *** Discourse is an open-source discussion platform. Prior to version 3.0.1 on the `stable` branch and 3.1.0.beta2 on the `beta` and `tests-passed` branches, when submitting a membership request, there is no character limit for the reason provided with the request. This could potentially allow a user to flood the database with a large amount of data. However it is unlikely this could be used as part of a DoS attack, as the paths reading back the reasons are only available to administrators. Starting in version 3.0.1 on the `stable` branch and 3.1.0.beta2 on the `beta` and `tests-passed` branches, a limit of 280 characters has been introduced for membership requests.

Productos y versiones vulnerables

CPE Desde Hasta
cpe:2.3:a:discourse:discourse:*:*:*:*:stable:*:*:* 3.0.1 (excluyendo)
cpe:2.3:a:discourse:discourse:1.1.0:beta1:*:*:beta:*:*:*
cpe:2.3:a:discourse:discourse:1.1.0:beta2:*:*:beta:*:*:*
cpe:2.3:a:discourse:discourse:1.1.0:beta3:*:*:beta:*:*:*
cpe:2.3:a:discourse:discourse:1.1.0:beta4:*:*:beta:*:*:*
cpe:2.3:a:discourse:discourse:1.1.0:beta5:*:*:beta:*:*:*
cpe:2.3:a:discourse:discourse:1.1.0:beta6:*:*:beta:*:*:*
cpe:2.3:a:discourse:discourse:1.1.0:beta6b:*:*:beta:*:*:*
cpe:2.3:a:discourse:discourse:1.1.0:beta7:*:*:beta:*:*:*
cpe:2.3:a:discourse:discourse:1.1.0:beta8:*:*:beta:*:*:*
cpe:2.3:a:discourse:discourse:1.2.0:beta1:*:*:beta:*:*:*
cpe:2.3:a:discourse:discourse:1.2.0:beta2:*:*:beta:*:*:*
cpe:2.3:a:discourse:discourse:1.2.0:beta3:*:*:beta:*:*:*
cpe:2.3:a:discourse:discourse:1.2.0:beta4:*:*:beta:*:*:*
cpe:2.3:a:discourse:discourse:1.2.0:beta5:*:*:beta:*:*:*